What We’re Watching: Opening up about our cyber (In)security

February 2024

Cyber (In)security

Credit investors are by their nature pessimists. No fun at a party, they are always on the look out for tail risks events that could turn a full repayment of principal into a loss. Many of these tail risk events are difficult to anticipate and price for; think of the COVID pandemic or the tragic events of September 11, 2001.

Cyber risk, the risk of a business’s proprietary information being exposed to dangerous actors and resulting in economic loss or damage, is another tail risk which is difficult to anticipate. However, unlike global pandemics (we hope), seems to be happening with increasing frequency and at vary levels of severity. While investors can assess a business’s preventative measures to deal with cyber risk, the reality is that every business is exposed to this risk factor in one way or another.

It is not just investors like us who struggle with cyber risk. Proviti, a global consulting firm, just released a survey from global executives on key risks facing their business. In it they highlighted that 9 out of 10 executives cited cyber threats as a long term top 5 risk, ranking it third in 2024 and the top risk in 2034.¹

And it isn’t just a risk that resides with portfolio companies. Asset managers can also be exposed to cyber risk which can cause lockups of funds, increased redemptions and direct losses. An assessment of cyber risk needs to form a key component of any operational due diligence assessment.²

We’ve yet to see a major corporate default because of a cyber risk event but the negative implications of cyber events are clear. Insurance premiums are rising rapidly reflecting the losses associated with cyber threats whether related to ransoms or financial performance; AM Best reported that in 2022 premiums increased by 50% and had tripled in the past three years. In 2017, Equifax’s share price fell by 60% following a cyber breach.

This month³we’ll provide some context as to how we try to assess the likelihood and potential severity of cyber risk and discuss how portfolio managers can mitigate the impact of cyber risk events across their portfolio.

Assessing cyber risk through a fundamental credit lens starts with governance. It is management who prioritises the necessary investments to prevent cyber risk events from occurring and management who takes preventative action to mitigate losses once such an event occurs. Different industries have different inherent risks, but all management teams need to demonstrate that they are aware of cyber risks and have considered how these risks may impact their business.

Any investment manager should have a checklist⁴ of questions to send to a business to assess their management but fundamentally the questions relate to prevention and mitigation. It is critical to understand the extent of and nature of data handled by a business, the extent of privacy-related documentation, disclosure and data sharing arrangements, offshoring risks and the history of compliance incidents.

In terms of characteristics of companies impacted by cyber risk events, Chubb Insurance’s cyber index⁵ reveals some surprising facts. In 2022, companies making less than US$25 million in annual revenue were responsible for 34.2% of annual claims while companies making over US$501 million were responsible for 19.9% of annual claims. In 2023, larger companies were responsible for an estimated 28.6% of annual claims.

This data puts paid to the argument that cyber risk events tend to impact smaller businesses which have fewer resources with which to mitigate these risks. Larger companies are targeted by more sophisticated threat actors seeking larger rewards.

According to Chubb’s data, in 2022 around one quarter of claims came from the professional services sector followed by technology. Manufacturing, Financial Institutions and Retail/Hospitality also featured highly.

Chubb Cyber Index: Claims by Industry

As we think about cyber risk through the lens of a credit investor our concern is those events that could lead to sufficiently large and uninsurable losses such as fundamentally altering the nature of a business. For example, a highly public and sustained cyber event at a major domestic bank⁶ could lead to a withdrawal of deposits from the bank and thus a liquidity event. Of course, for a major bank the likelihood in such an event is support from the central bank but for others less systemically important institutions such support may not be forthcoming.

When we consider cyber risks through the lens of portfolio construction, we have to address the fact that cyber is a risk that is inherently difficult to quantify, and that no borrower is completely immune to. And such, the primary mitigant is diversification. By limiting our exposure to individual names, we are limiting the impact of an individual event.

Our second strategy is to carefully consider the sectors where we concentrate risk. While we have long held a positive view on securitised credit markets, non-bank lenders (which fall into the professional services sector) are more acutely affected by cyber risk. They hold significant levels of personal and private information, tend to share data with credit bureaus and software providers and often have offshore based servicing teams. They tend also to be smaller institutions with more limited resources (how many non-banks have a Chief Information Security Officer?)

Insurers providing cover for cyber risk are exposed on multiple levels. They hold customer information and also provide cyber insurance to other firms’ businesses. Domestically Australian general insurers have not been willing to write cyber insurance to large corporates in stark contrast to global insurers who were paid US$13 billion in premiums in 2022 and are expected to take in US$23 billion in premiums in 2025.

Contrast this with commercial real estate. In general, the simplicity of the asset class provides a form of insulation from cyber risks given the lack valuable intellectual property maintained by the firms themselves. There are risks associated with cyber that may affect underlying tenancies, but these are far more remote than risks associated with borrowers that retain significant levels of personal information. However more remote does not mean they entail no risk; data centres and other secure facilities are acutely exposed to cyber risks, as are student accommodation and office assets which are increasingly reliant on integrated technology chains.

Clearly cyber risk is a growing and increasingly relevant consideration for all investors, both in ensuring that asset managers consider the risk as part of their investment process and portfolio construction but also address the risks in the products they offer to clients.

Hopefully this piece has not added to your cyber insecurity but resolved you to investigate further to mitigate these risks. Good luck out there!

1. https://www.protiviti.com/us-en/survey/executive-perspectives-top-risks
2. APRA has specific regulations focussed on information security which apply to superannuation funds, insurers and banks. As part of an APRA-regulated institution Challenger is required to meet CPS234 around information security and CPS231 covering outsourcing. While ASIC does not prescribe specific requirements for non-regulated entities, AFS licensees are required to adopt good cybersecurity risk practices.
3.This is largely about a certain portfolio manager easing their own insecurity about cyber hence the title of the piece. Wasn’t it Graham Green who referred to writing as a form of therapy?
4. There are lots of checklists available online and external certifications/standards that attest to information security such as ISO 27001 or NIST Cybersecurity Framework. Our intent in this piece is not to go through these certifications in detail but rather focus on attributes of borrowers that can increase or decrease risk.
5. https://chubbcyberindex.com/#/incident-growth
6. The RBA discussed cyber risks in the April 2022 Financial Stability Review. In it they called out the specific risks associated with a cyber attack and highlighted that the risk of major incident is increasing.